feat: expose OpenID id_token to account mapper

[linux4life798]

Prerequisites

• I have searched existing issues and discussions for duplicates
• I reviewed the README and docs to ensure this isn't already supported
• I considered alternatives or workarounds and describe them below
• The scope is minimal and focused on a single feature

Impacted areas (select all that apply)

• Public API (traits, structs, functions, modules)
• Authorization model (roles, groups, permissions)
• Authentication flows (credentials, JWT, cookies, bearer)
• Storage backends (memory/sea-orm/surrealdb)
• Configuration/feature flags
• Error types and error mapping
• Performance/throughput/latency
• Documentation/examples

Problem statement

Today the OAuth2 flow erases OpenID Connect extras by constraining to StandardTokenResponse<EmptyExtraTokenFields, BasicTokenType>. The mapper only sees access/refresh tokens, so consumers must issue an extra UserInfo HTTP call to get claims that are already present in the id_token (e.g., sub, email, email_verified, hd, nonce, iss, aud). This adds latency, another failure mode, and blocks the usage of providers that don't provide a userinfo endpoint.

Proposed solution (high-level)

Allow OIDC token responses (with id_token) to reach with_account_mapper, enabling consumers to validate and extract claims without an extra UserInfo request, before minting the first-party JWT.

API design details

* Widen the mapper input to a token response that retains `id_token` or allows generalization to change the expected response type.
* Surface the raw `id_token` and possibly decoded claims to the mapper; handle JWT verification in the library.
* Consider an additive API (`with_oidc_account_mapper`) or a type alias to keep compatibility; avoid breaking existing mappers.

Primary use-cases and examples

As a consumer of Google/Microsoft OIDC, I want to validate id_token nonce/iss/aud and use sub/email_verified/hd to build my Account without calling the UserInfo endpoint.


// Pseudo code
Gate::oauth2::<Role, Group>()
    .add_scope("openid")
    .with_account_mapper(|token| {
        let id_token = token.id_token().ok_or(...)?
        // validate nonce/aud/iss, decode claims, map to Account
        let claims = id_token
                .claims(&id_token_verifier, &nonce)
                .context("Failed to verify ID token")?;
        let provider_subject = claims.subject().as_str().to_string();
        let name = claims
                .name()
                .and_then(|n| n.get(None).map(|n| n.to_string()));
        let email = claims
                .email()
                .ok_or_else(|| anyhow!("Email is required"))?
                .to_string();
        // Add user info elsewhere.

        let user_id = format!("PROVIDER-UUID:{provider_subject}");
        Ok(Account::<Role, Group>::new(&user_id, &[Role::User], &[]))
    })
    .with_jwt_codec("my-app", codec, 86400);

Alternatives considered

Honestly, I'm not a rust wizard, yet.

Prior art and references

No response

Breaking changes

Possibly (soft break, deprecations)

Breaking changes and migration strategy

No response

Feature flag

Unsure

Configuration surface

No response

Security and privacy considerations

• Encourages/enables validation on id_token claims.
• Reduces attack surface, since we don't need to make another request to userinfo and the info that we have is verified via a crypto signature.
• On the flip side, if a service must handle providers like GitHub and other proper OIDC providers (Google, Microsoft, Tailscale OIDC), simultaneously, then we may have increased the complexity, since this account handler would conditionally use the id_token claims for normal providers, but would make a userinfo request for GitHub.

Performance implications

No response

Observability (logging/metrics/tracing)

No response

Documentation and examples

No response

Acceptance criteria

• Mapper API (or new variant) surfaces id_token JWT to user code

Contribution readiness

• I am willing to help implement this feature
• I can contribute API review feedback
• I will include tests and docs updates in a PR
• I have not included secrets, tokens, or PII in this request

Contact (optional)

@linux4life798

[emirror-de]

Thanks for your detailed request, access to the ID token would indeed be very helpful.

While your thoughts and ideas are very valid, I am thinking about whether it could make sense to add a new Gate variant for OIDC instead of putting it into the OAuth2 variant. This would enable a clear separation between OAuth2 and OIDC. In addition to that we could use the openidconnect crate to realize the implementation because it already implements access to the ID token which the oauth2 crate does not. What is your opinion?

I am happy to add this functionality, but I am currently limited on time. If you are happy you are welcome to work on it.

Side note: Maybe both functionalities, OAuth2 and OIDC could be gated behind features to keep dependencies as small as possible.

[linux4life798]

Hi @emirror-de !

Thanks for the reply. For my use case, where I want to support multiple oauth2 and openidconnect IDPs, I would probably need both mechanisms builtin to one lib.

It somewhat makes sense that there are distinct oauth2 and openidconnect backend libraries to make sure people don't accidentally cross protocols. That being said, for a convenience library like axum-gate, whose purpose is to easily gate access to specific website resources, I think it needs to support all auth methods that would be reasonably used simultaneously (GitHub oauth2 🤦 and Google/Microsoft openidconnect).

I am happy to add this functionality, but I am currently limited on time. If you are happy you are welcome to work on it.

I totally understand. Unfortunately, I had to move onto axum-login (albeit, still not great) to get a bit more flexibility.

Side note: Maybe both functionalities, OAuth2 and OIDC could be gated behind features to keep dependencies as small as possible.

That's totally fair.

---

Thank you for all the great work with axum-gate!

[emirror-de]

I think it needs to support all auth methods that would be reasonably used simultaneously (GitHub oauth2 🤦 and Google/Microsoft openidconnect)

Yes, that is exactly in my interest as well!

I just looked through the description again and found

or new variant

in the acceptance criteria. Thats how I would like to realize it. So there is a clear distinction between oauth2 and oidc.

This feature will be definitely added.